To check if you have failures under SELinux:
adb root
adb shell
cat /proc/kmsg | grep -i avc
><36>[ 134.617184] (0)[230:logd.auditd]type=1400 audit(1522507474.770:24): avc: denied { create } for pid=2918 comm="reen.app.tablet" name="realm_6711365682213135548.cv" scontext=u:r:system_app:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=fifo_file permissive=0
In this example, realm was blocked
to disable SELinux (must have aosp in userdebug or eng) and adb root:
setenforce 0
Making a real (production) rule:
cd/<AOSP_ROOT_FOLDER>
export ANDROID_BUILD_TOP=$PWD
adb logcat -b all -d > mylogcat
./external/selinux/prebuilts/bin/audit2allow -p out/target/product/elink8176_tb_n/root/sepolicy < mylogcat
This is my output:
#============= autokd ==============
allow autokd system_prop:property_service set;
#============= cameraserver ==============
allow cameraserver default_prop:property_service set;
#============= pq ==============
allow pq debug_prop:property_service set;
#============= system_app ==============
allow system_app system_app_data_file:fifo_file { read write };
Now I want to enable system_app so I add this rule to:
./device/mediatek/mt8173/sepolicy/basic/system_app.te
SELinux and Android
-
fabiodelorenzo
- Posts: 65
- Joined: Thu Oct 03, 2013 5:54 pm
Disable and chek SELinux enforcment
Check the status of SELinux:
adb shell getenforce
Disable SELinux enforcement
using adb:
Or at the kernel command line (during early device bring-up):
In BoardConfig.mk add:
+CONFIG_CMDLINE="androidboot.selinux=permissive"
example
elink/elink8176_tb_n/BoardConfig.mk
mediatek/mt8173/BoardConfig.mk
After booting, check the kernel bootargs:
console=tty0 console=ttyMT0,921600n1 root=/dev/ram console=ttyS0,921600n1 androidboot.hardware=mt8173 androidboot.verifiedbootstate=green bootopt=64S3,32N2,64N2 androidboot.selinux=permissive printk.disable_uart=1 bootprof.pl_t=3517 bootprof.lk_t=2108 boot_reason=4 androidboot.serialno=FXN2018020174 androidboot.bootreason=wdt_by_pass_pwk
read:
https://source.android.com/security/sel ... ice-policy
https://source.android.com/security/sel ... permissive
adb shell getenforce
Disable SELinux enforcement
using adb:
Code: Select all
adb shell setenforce 0Or at the kernel command line (during early device bring-up):
Code: Select all
androidboot.selinux=permissive
androidboot.selinux=enforcingIn BoardConfig.mk add:
+CONFIG_CMDLINE="androidboot.selinux=permissive"
example
elink/elink8176_tb_n/BoardConfig.mk
mediatek/mt8173/BoardConfig.mk
After booting, check the kernel bootargs:
Code: Select all
adb shell cat /proc/cmdlineconsole=tty0 console=ttyMT0,921600n1 root=/dev/ram console=ttyS0,921600n1 androidboot.hardware=mt8173 androidboot.verifiedbootstate=green bootopt=64S3,32N2,64N2 androidboot.selinux=permissive printk.disable_uart=1 bootprof.pl_t=3517 bootprof.lk_t=2108 boot_reason=4 androidboot.serialno=FXN2018020174 androidboot.bootreason=wdt_by_pass_pwk
read:
https://source.android.com/security/sel ... ice-policy
https://source.android.com/security/sel ... permissive
Who is online
Users browsing this forum: No registered users and 1 guest